Re: Connecting with SSL
Date: November 13, 2007 04:49PM
After two days of fiddeling around I solved most of my needs - in particular I solved the situation described above.
Concerning the original question the user name and the CN are not linked in any way. If you require a certain user certificate this is forced by REQUIRE SUBJECT. Therefore, if your PKI is correct, your sample case shold work.
I'd guess that since X509 is SSL related, you could run into trouble, if you have a full match policy defined, but the CN does not match the client's name. Try to use your certificates to setup a mutual SSL connection, e.g. using the openssl test client.
Getting the following access rule running was sometimes tedious, but after all straight forward:
GRANT ALL ON test.* TO 'test'@'%' REQUIRE SUBJECT '/C=DE/.../CN=test' AND CIPHER 'EDH-RSA-DES-CBC3-SHA';
Note that the user certificate for test reads a DN=.../CN=test/emailAddressfirstname.lastname@example.org. The emailAddress tag must not appear in the REQUIREd SUBJECT.
Actually, enforcing the encryption was the most troublesome. I finally hunted it down in syslog
Nov 13 21:44:47 test mysqld: 071113 21:44:47 [Note] X509 ciphers mismatch: should be 'EDH-RSA-DES-CBC3-SHA' but is 'DHE-RSA-AES256-SHA'
so I changed my required cipher to the stronger one offered by the client
GRANT ALL ON test.* TO 'test'@'%' REQUIRE SUBJECT '/C=DE/.../CN=test' AND CIPHER 'DHE-RSA-AES256-SHA';
and I can connect:
mysql --ssl-ca cacert.pem --ssl-cert test.cert.pem --ssl-key test.pem -u carpora -h mysql.mgr -p -- test
I'm still struggeling with some remaining issues:
1) I do not want to provide a password. I present a certificate and that shall be it.
2) AES256 is definitely good, but I want to also allow clients, which use AES128, 3DES or anything similar. My idea was something like 'MEDIUM:HIGH'. But although this combination includes the offer from the client, it is rejected.
3) I want to restrict the user to a certain netmask, e.g. 172.16.0.0\21 instead of a hostname domain.
All hints for solving these issues are appreciated.
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.